Modern enterprise networks are scaling at a rate we have never seen before. With this expansion will come a hidden operational tax: infrastructure volatility and configuration drift. When live network devices diverge from their approved designs, security gaps widen, compliance audits fail, and troubleshooting sessions stretch into hours.
In response to this, Converge Global Concept Technologies, in partnership with Red Hat, delivers the Unified Network Automation Platform (UNAP). UNAP abstracts multi-vendor complexities into a single, unified virtual appliance, empowering operators to automate the full lifecycle of their network infrastructure. A lifecycle that includes provisioning, patching, and drift remediation.
Here’s how UNAP’s specialized “check-out” drift management and three-tier validation pipelines secure enterprise networks:
Configuration drift is rarely the result of a single, big change. It is the cumulative result of localized, undocumented manual modifications made during troubleshooting or routine operational maintenance. When an administrator temporarily opens a firewall port or modifies an access control list without documenting the change in a centralized repository, the network’s live state diverges from its approved security baseline.
This divergence presents severe operational liabilities:
For years, service providers have struggled with complex open-source orchestration projects like the Open Network Automation Platform (ONAP). While powerful, ONAP’s high integration complexity and monolithic legacy often made deployment difficult.
UNAP offers a streamlined alternative. It is prepared as a single-node virtual appliance (deployable via OVA or AMI templates), UNAP abstracts vendor-specific complexities into a single pane of glass without the administrative overhead of a raw automation platform.
Its key architectural elements include:
The heart of UNAP’s integrity engine is the drift check-out routine. A process that relies on a Git-centric Single Source of Truth (SSoT) where preferred states are declared as structured YAML variables (group_vars and host_vars).
When a scan is initiated, UNAP “checks out” the SSoT variables and runs playbooks in Check Mode (check_mode: true / –check) combined with Difference Output (–diff).
The check-out routine executes the following targeted query runs:
| Operational Parameter | Run Mode (Check-only / Check-out) | Run Mode (Active Enforcement) |
| Execution Flag | –check –diff / check_mode: true | check_mode: false |
| System Impact | Non-intrusive; no commands are written | Intrusive; overwrites configuration to align with the target |
| Output Type | Generates a structured JSON diff of discrepancies | Returns execution logs (changed, ok, or failed) |
| Primary Use Case | Compliance audits and pre-deployment validation | Automated remediation and standard provisioning |
Corrupted or invalid configurations should never be pushed to production. Ensuring that is never the case, UNAP processes every drift check-out through a multi-layered validation pipeline before auto-remediation or manual approval.
Layer 1: Schema Validation
UNAP uses the ansible.utils.validate module to match SSoT variable files against strict JSON Schema templates. This automated gate confirms that hostnames adhere to naming standards, IP addresses conform to CIDR notations, and numeric values (such as VLAN IDs) fall within valid ranges, stopping syntax errors at the doorstep.
Layer 2: Logic Validation
Once the schema is validated, UNAP executes programmatic declarations using the ansible.builtin.assert module. This logic engine cross-references parameters to ensure consistency. It does this by checking that no duplicate IP addresses are defined within the subnet, and that all VLANs assigned to physical interfaces actively exist in the global VLAN database.
Layer 3: State Validation
The final tier validates real-time telemetry. Using state modules like cisco.ios.ios_interfaces with state: gathered, UNAP queries the live appliance to verify that interfaces are operational, routing tables (BGP/OSPF) are established, and ping reachability tests to upstream gateways succeed.
Scheduled audits are highly effective but relying on them exclusively allows drift to exist between scans. To close this compliance gap, UNAP integrates with Event-Driven Ansible (EDA) to create an autonomous, self-healing loop:
Deploying broad network automation across a distributed multi-vendor environment calls for a structured, phased rollout. Converge help organisations establish a production-ready drift management framework in just three phases:
Manually configuring devices one by one is exactly how configuration drift sneaks in and once it’s there, it’s expensive to chase down. UNAP shifts that model entirely. With a Git-based single source of truth, your intended network state is always version-controlled, auditable, and enforced automatically. Drift gets caught before it becomes a problem, and when something does fall out of line, the system corrects itself without waiting for a ticket to be raised. For enterprise architects, it becomes a network that reflects what the business needs it to do.
Converge can help your organization leverage Red Hat Ansible Automation Platform to automate network operations, reduce configuration drift, and improve operational resilience. Contact Us today.